Home / malwarePDF  

SmartProtection2012


First posted on 25 February 2012.
Source: Microsoft

Aliases :

SmartProtection2012 is also known as Winwebsec (other), Smart Protection 2012 (other).

Explanation :

Smart Protection 2012 is a variant of Win32/Winwebsec - a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform the user that he or she needs to pay money to register the software to remove these non-existent threats.

Win32/Winwebsec has been distributed with many different names. The name used by the malware, the user interface and other details vary to reflect each variant's individual branding. The following details describe Win32/Winwebsec when it is distributed with the name "Smart Protection 2012".


Top

Smart Protection 2012 is a variant of Win32/Winwebsec - a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform the user that he or she needs to pay money to register the software to remove these non-existent threats.

Win32/Winwebsec has been distributed with many different names. The name used by the malware, the user interface and other details vary to reflect each variant's individual branding. The following details describe Win32/Winwebsec when it is distributed with the name "Smart Protection 2012".



Installation

When distributed as "Smart Protection 2012", Win32/Winwebsec creates a folder under %Common_AppData% with a randomly-generated name (for example, "c:\documents and settings\all users\application data\36B6A76C7DE2F19C603CE48DEEC1FB6E"). The fake scanner is copied to this folder, using the same name as that of the folder (for example "c:\documents and settings\all users\application data\36B6A76C7DE2F19C603CE48DEEC1FB6E\36B6A76C7DE2F19C603CE48DEEC1FB6E.exe").

It modifies the registry to ensure that the rogue is executed at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
Sets value: "<malware file name without the extension>" (for example, "36B6A76C7DE2F19C603CE48DEEC1FB6E")
With data: "<malware path and file name>" (for example, "c:\documents and settings\all users\application data\36B6A76C7DE2F19C603CE48DEEC1FB6E\36B6A76C7DE2F19C603CE48DEEC1FB6E.exe")



Payload

Displays false/misleading malware alerts

When run, Smart Protection 2012 performs a fake scan of the system, and falsely claims that a number of files on the system are infected with malware. Should users request that it clean the reported infections, it advises them that they need to pay money to register the program in order for it to do so.

Some examples of the interface, fake alerts, fake scanning results, and popups displayed by "Smart Protection 2012" are shown below:













Terminates processes
After installation, and upon each subsequent re-boot of the system, Smart Protection 2012 prevents the user from launching any application by terminating its process and displaying a message that falsely claims that the process is infected.

Win32/Winwebsec, however, avoids terminating the following processes:

  • aeadisrv.exe
  • alg.exe
  • audiodg.exe
  • csrss.exe
  • conhost.exe
  • ctfmon.exe
  • dwm.exe
  • explorer.exe
  • httpd.exe
  • iastordatamgrsvc.exe
  • iexplore.exe
  • lsass.exe
  • lsm.exe
  • mfnsvc.exe
  • mdnsresponder.exe
  • nvscpapisvr.exe
  • nvvsvc.exe
  • nvsvc.exe
  • pdagent.exe
  • searchindexer.exe
  • services.exe
  • slsvc.exe
  • smss.exe
  • snort.exe
  • spoolsv.exe
  • svchost.exe
  • taskhost.exe
  • wininit.exe
  • winlogon.exe
  • wmiprvse.exe
  • winroute.exe
  • wscntfy.exe




Analysis by Hamish O'Dea

Last update 25 February 2012

 

TOP